AD account active while Mimecst account locked.

How do I explain to a non-technical manager that a user's AD account can be active while the Mimecast account has been locked by Malware on the user's PC? Managers were told that the with single sign-on the AD password granted access to all other systems. I had a problem where some users had spam created by Malware which caused the Mimecast account to be locked. Because the users could still log onto AD, management insists that this type of problem may not be referred to the e-mail administrators.